Status

Release Engineering
General
RESOLVED FIXED
2 years ago
2 months ago

People

(Reporter: rail, Assigned: rail)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
Per https://bugzilla.mozilla.org/show_bug.cgi?id=1105689#c39 we need to generate multiple certs/keys for new MAR signing format.

* SHA384
* Key size of 4096

We probably need 3 different certs/keys, similar to keys in https://hg.mozilla.org/mozilla-central/file/default/toolkit/mozapps/update/updater/:

* dep
* nightly
* release

The keys should be safely generated and stored according to https://mana.mozilla.org/wiki/display/RelEng/Signing
(Assignee)

Updated

2 years ago
Assignee: nobody → rail
(Assignee)

Updated

2 years ago
Blocks: 1324501
(Assignee)

Comment 1

2 years ago
Created attachment 8826276 [details]
keys-export.tar.gz

Generated using:

# dep
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der

certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der

# nightly
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der

certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der


# release
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der

certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der
(Assignee)

Comment 2

2 years ago
Robert, can you verify the attached keys?
Flags: needinfo?(robert.strong.bugs)
The keys are all SHA384 so that is good. Only one of the keys has the same CN as the current keys which should be fine... see below.

(In reply to Rail Aliiev [:rail] ⌚️ET from comment #1)
> Created attachment 8826276 [details]
> keys-export.tar.gz
> 
> Generated using:
> 
> # dep
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=CI MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der
dep1

> 
> certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=CI MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der
dep2

> 
> # nightly
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384
> -g 4096 -s "CN=Nightly MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der
nightly1

> 
> certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384
> -g 4096 -s "CN=Nightly MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der
nightly2

> 
> 
> # release
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=Release MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der
Release MAR signing key

> 
> certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=Release MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der
Release MAR signing key 2

Will the nicknames collide with the existing cert nicknames in your cert store?
Flags: needinfo?(robert.strong.bugs)
(Assignee)

Comment 4

2 years ago
We are going to use a separate cert store for this one, so there will be no collisions. I"m going to resolve this and proceed with the current keys.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Component: General Automation → General
Product: Release Engineering → Release Engineering
You need to log in before you can comment on or make changes to this bug.